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We've Come a Long Way... 
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SECURITY IS NOT JUST CODE! 


“Weakness in an information system, system 
security procedures, internal controls, or 
implementation that could be exploited or 
triggered by a threat source.” 


- NIST Vulnerability definition 


CONSIDERATIONS FOR 
SMART CONTRACTS DEVELOPMENT 


What Can Go Wrong with Code, and How to Mitigate 


ISSUE 


Memory safety 


Input validation 


Privilege escalation flaw 


Fundamental design flaws 


Side channel attacks 


Cryptographic vulnerabilities 
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EXAMPLE 


Overflows, underflows, 
dangling pointers 


Code injection, format string 
hacks, sql injection, etc. 


Access controls 


Denial of Service (DoS) 


Timing attacks 


Insecure key storage, 
randomness of keys 


MITIGATION 


- Threat modelling 


e Audits 
- Testing 


Fuzzing 
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Secure Smart Contract Code!? 


LEARNINGS 


Frequency and nature of vulnerabilities for smart contract code and normal code is similar, but: 
What you read about does not necessarily equate to what you should be worried about 
A lot of the findings (almost 49%) are almost impossible to imagine detecting with a tool or testing 


Smart contract development is the opposite from agile! 


ToB Report: https://blog.trailofbits.com/2019/08/08/246-findings-from-our-smart-contract-audits-an-executive-summary/ 
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A Comprehensive Checklist 
for Smart Contract Development 


PARITY TECHNOLOGIES 
14 POINT CHECK LIST 


https://www.parity.io/paritys-checklist-for-secure-smart-contract-development/ 
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GitHub and Repo Structure 


Create a new 
GitHub organization 


Put every contract 
in a separate repo 


Embed dependencies 


©2020 Andreessen Horowitz. All rights reserved worldwide. 


Highlights from the Check List 


Deployment 


- Actual deployed state of 


each contract should live in 
a protected master branch 


Every contract should have 
a README that lists its 
deployment addresses in 
all networks 


Code Quality 


Make sure that bugs 
related to syntax quirks 
and misunderstandings are 
discoverable with tests by 
using a different language 


Reviews should be 
required for pull requests 
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Beyond Code: Security in a Developing 
Interdependent and Open Ecosystem 


SOME OBSERVATIONS 


: More and more projects 
are rolling their own chains vs. 
"Don't roll your own crypto!” 


: Limitations in scalability: 
Chains are competing for security 


: Limitations in framework: 
App ecosystem is developing 
complex interdependencies 
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SOLUTIONS AND CONSIDERATIONS 
GOING FORWARD 


Naive Scaling: 
Fractured Security and Weak Interoperability 


BRIDGED CHAINS 
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Better Scaling: Pooled Security and Strong Interoperability 


SHARDED BLOCKCHAIN 
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Moving On from a One-size-fits-all Approach... 
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Achieving Customization and Compartmentalization 


HETEROGENOUS MULTICHAIN 
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Build a Structured Framework to Ease Development 
and Close Security Holes 


Customizable runtime models vs. one-size-fits-all 
Turing complete virtual machines 


Resort to standards like Wasm and “safer” 
languages like Rust 


On-chain governance in case of ultimate failure 
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What Blockchain Can Learn from Other Industries 
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Key Takeaways 


Security is more than code 


Don't roll your own blockchain 


Be humble and learn from other industries 


Security is hard and we’re in this together 
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